Chapter 1 Security Services (Overview)

To maintain the security of the Solaris Operating System (Solaris OS), Solaris software provides
the following features:

System Security –
The ability to prevent intrusion, to protect machine resources and devices
from misuse, and to protect files from malicious modification or unintentional
modification by users or intruders

Solaris Auditing –
The ability to identify the source of security changes to the system, including
file access, security-related system calls, and authentication failures

Security Policy –
The design and implementation of security guidelines for a computer or network
of computers

System Security

System security ensures that the system's resources are used properly.
Access controls can restrict who is permitted access to resources on the system.
The Solaris OS features for system security and access control include the following:

Role-based access control (RBAC) – An
architecture for creating special, restricted user accounts that are permitted
to perform specific administrative tasks. See Role-Based Access Control (Overview).

Privileges – Discrete
rights on processes to perform operations. These process rights are enforced
in the kernel. See Privileges (Overview).

Device management – Device policy additionally protects devices that are already protected
by UNIX permissions. Device allocation controls access
to peripheral devices, such as a microphone or CD-ROM drive. Upon deallocation,
device-clean scripts can then erase any data from the device. See Controlling Access to Devices.

Basic Audit Reporting Tool (BART) – A snapshot, called a manifest, of the file
attributes of files on a system. By comparing the manifests across systems
or on one system over time, changes to files can be monitored to reduce security
risks. See Chapter 5, Using the Basic Audit Reporting Tool (Tasks).

Solaris Cryptographic Services

Cryptography is the science of encrypting and decrypting data. Cryptography
is used to insure integrity, privacy, and authenticity. Integrity means that
the data has not been altered. Privacy means that the data is not readable
by others. Authenticity for data means that what was delivered is what was
sent. User authentication means that the user has supplied one or more proofs
of identity. Authentication mechanisms mathematically verify the source of
the data or the proof of identity. Encryption mechanisms scramble data so
that the data is not readable by a casual observer. Cryptographic services
provide authentication and encryption mechanisms to applications and users.

Cryptographic algorithms use hashing, chaining, and other mathematical
techniques to create ciphers that are difficult to break. Authentication mechanisms
require that the sender and the receiver compute an identical number from
the data. Encryption mechanisms rely on the sender and the receiver sharing
information about the method of encryption. This information enables only
the receiver and the sender to decrypt the message. The Solaris OS provides a
centralized cryptographic framework, and provides encryption mechanisms that
are tied to particular applications.

Solaris Cryptographic Framework – A
central framework of cryptographic services for kernel-level and user-level
consumers. Uses include passwords, IPsec, and third-party applications. The
cryptographic framework includes a number of software encryption modules.
The framework enables you to specify which software encryption modules or
hardware encryption sources an application can use. The framework is built
on the PKCS #11 v2 library. This library is implemented according to the
following standard: RSA Security Inc. PKCS #11 Cryptographic Token Interface
(Cryptoki). The library provides an API for third-party developers to plug
in the cryptographic requirements for their applications. See Chapter 13, Solaris Cryptographic Framework (Overview).

Authentication Services

Authentication is a mechanism that identifies a user or service based
on predefined criteria. Authentication services range from simple name-password
pairs to more elaborate challenge-response systems, such as smart cards and
biometrics. Strong authentication mechanisms rely on a user supplying information
that only that person knows, and a personal item that can be verified. A user
name is an example of information that the person knows. A smart card or a
fingerprint, for example, can be verified. The Solaris features for authentication
include the following:

Pluggable Authentication Module (PAM) – A framework that enables various authentication technologies to
be plugged into a system entry service without recompiling the service. Some
of the system entry services include login and ftp.
See Chapter 17, Using PAM.

Simple Authentication and Security
Layer (SASL) – A framework that provides authentication and
security services to network protocols. See Chapter 18, Using SASL.

Authentication With Encryption

Authentication with encryption is the basis of secure communication.
Authentication helps ensure that the source and the destination are the intended
parties. Encryption codes the communication at the source, and decodes the
communication at the destination. Encryption prevents intruders from reading
any transmissions that the intruders might manage to intercept. The Solaris
features for secure communication include the following:

Solaris Auditing

Auditing is a fundamental concept of system security and maintainability.
Auditing is the process of examining the history of actions and events on
a system to determine what happened. The history is kept in a log of what
was done, when it was done, by whom, and what was affected. See Chapter 28, Solaris Auditing (Overview).

Security Policy

The phrase security policy, or policy,
is used throughout this book to refer to an organization's security guidelines.
Your site's security policy is the set of rules that define the sensitivity
of the information that is being processed and the measures that are used
to protect the information from unauthorized access. Security technologies
such as Solaris Secure Shell, authentication, RBAC, authorization, privileges, and resource
control provide measures to protect information.

Some security technologies also use the word policy when describing
specific aspects of their implementation. For example, Solaris auditing uses
audit policy options to configure some aspects of auditing policy. The following
table points to glossary, man page, and information on features that use the
word policy to describe specific aspects of their implementation.